Rate Limiting: API Rate Limiting

Definition

Rate Limiting Strategies in the EUDI Wallet Infrastructure

The EUDI Wallet ecosystem employs multiple rate limiting strategies tailored to different components and threat models. Fixed-window rate limiting divides time into fixed intervals (such as 60-second windows) and counts requests within each window. Sliding-window rate limiting provides smoother enforcement by considering a rolling time period, preventing burst attacks at window boundaries. Token bucket algorithms allow temporary bursts while maintaining long-term rate constraints, which is useful for wallet operations that may involve rapid sequences of related requests during a credential issuance flow.

Different endpoints in the EUDI Wallet ecosystem require different rate limiting configurations. Credential issuance endpoints, which involve computationally expensive cryptographic operations and database writes, typically have lower rate limits (perhaps 10-50 requests per minute per client). Status list and revocation check endpoints, which are read-only and frequently accessed, may have higher limits (hundreds or thousands per minute) to accommodate legitimate high-volume verification scenarios. The EU Trusted List query endpoints may implement caching-aware rate limiting that encourages clients to cache responses and penalizes clients that repeatedly request unchanged data.

Rate limiting in the EUDI ecosystem is often implemented at multiple layers: at the API gateway or load balancer level for broad protection, at the application level for more granular per-endpoint controls, and at the database level to prevent query-based resource exhaustion. This layered approach ensures that no single point of failure can bypass the rate limiting protections.

Rate Limiting and Privacy Protection

Beyond its traditional role in preventing abuse, rate limiting serves an important privacy protection function in the EUDI Wallet ecosystem. Without rate limiting, an attacker could systematically probe verification endpoints to determine whether specific individuals hold certain credentials, effectively conducting mass surveillance through API enumeration. For example, an attacker might send millions of verification requests to determine which wallet instances hold medical credentials, building a health profile database without user consent.

Rate limiting also protects against correlation attacks where an adversary attempts to link pairwise identifiers by rapidly querying multiple services and analyzing timing patterns. By enforcing consistent response times and limiting query volumes, rate limiting makes such timing-based correlation attacks significantly more difficult to execute at scale.

The implementation must balance security with usability. Overly restrictive rate limits could prevent legitimate use cases such as a border control station processing multiple travelers in quick succession, or a large employer verifying credentials for hundreds of new hires during onboarding. The EUDI Wallet Architecture Reference Framework recommends adaptive rate limiting that can dynamically adjust thresholds based on verified client identity, time of day, and historical usage patterns.

Implementation Best Practices for EUDI Wallet Services

EUDI Wallet service providers should implement rate limiting with clear, documented policies that specify the limits for each endpoint, the response behavior when limits are exceeded, and the mechanism for legitimate clients to request higher limits. Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) should be included in all API responses to help clients self-regulate their request patterns and implement appropriate backoff strategies.

For credential issuer implementations, rate limiting should be applied per wallet instance attestation (WIA) rather than solely per IP address, as multiple legitimate wallet instances may share the same IP address when using mobile networks or VPNs. This prevents legitimate users from being unfairly throttled while maintaining protection against individual misbehaving clients.

Monitoring and alerting should be integrated with the rate limiting system to detect patterns that may indicate attack attempts, even when individual clients remain within their limits. Distributed attacks using many clients at low individual rates can still overwhelm infrastructure, requiring aggregate rate limiting at the service level in addition to per-client limits. The European Cybersecurity Agency (ENISA) provides guidelines for securing critical infrastructure services that apply directly to EUDI Wallet rate limiting implementations.